Bump minimum OpenSSL version to 1.1.1 #10969
Conversation
|
Unfortunately it is too early as we still support RHEL 7 variants which also contains Amazon Linux 2. Those distros should still provide security updates for OpenSSL 1.0.2 and we want people to be able to install new PHP versions there. Amazon Linux 2 has got currently EOL in June 2025 so we won't be able to do this bump for some time. |
|
I thought RHEL 7 is out of maintenance this year? Can't such users just stick with PHP 8.2. ;) |
|
As far as I'm aware, most AL2 users install openssl 1.1.1 or 3.0 themselves. |
|
Most people use packages and currently PHP ones are shipped with default OpenSSL but there is also openssl11 available so maybe new packages could switch to that. I think most people would use Remi's repo for that so I think it really just a question for @remicollet . If he is fine with the bump, then I'm too. |
|
Btw the RHEL 7 is supported till June 2024: See https://access.redhat.com/product-life-cycles/ . |
|
A lot of people use AL2 on Lambda to use PHP. Both Bref and Laravel Vapor compile OpenSSL 1.1.1 from source, in order to build PHP, ignoring the bundled OpenSSL. |
OpenSSL 1.0.2 has been EOL since December 31, 2019, and OpenSSL 1.1.1 will be EOL on September 11, 2023. I don't think it makes sense to continue to support OpenSSL 1.0.2, when upgrading to 1.1.1 (and even 3.0, in some cases) is mostly easy. Most Linux distributions ship with OpenSSL 3.0 LTS these days, too. I would propose we bump the minimum version to 1.1.1 in PHP 8.3, then to 3.0 in PHP 8.5. Bumping to 1.1.1 also allows us to fix some deprecation warnings that appear when building on 3.0 (I think), while maintaining 1.1.1 compatibility, which will ultimately be necessary to enable building with 4.0 when that comes out.
List of major Linux distributions that will not be EOL before PHP 8.3's release date:
All of them have 1.1.1 or 3.0.